nettitude / runpe Goto Github PK

View Code? Open in Web Editor NEW

406.0 11.0 64.0 27 KB

C# Reflective loader for unmanaged binaries.

License: BSD 3-Clause "New" or "Revised" License

C# 100.00%

runpe's Introduction

RunPE

C# reflective loader for unmanaged binaries.

Usage

Usage: RunPE.exe <file-to-run> <args-to-file-to-run>
        e.g. RunPE.exe C:\Windows\System32\net.exe localgroup administrators

Alternative usage: RunPE.exe ---f <file-to-pretend-to-be> ---b <base64 blob of file bytes> ---a <base64 blob of args>
        e.g: RunPE.exe ---f C:\Windows\System32\svchost.exe ---b <net.exe, base64 encoded> ---a <localgroup administrators, base64 encoded>

Build configuration options

Edit the compilation symbols to quickly adjust the program flow: (Right click the project in Visual Studio -> Properties -> Build -> Conditional Compilation Symbols)

DEBUG (automatically added in Debug release mode) -> Very verbose logging
BREAK_TO_ATTACH -> Print "Press Enter to continue..." and await input so can attach debugger

PE Compilation Limitations

Executables launched by RunPE must be statically linked in order for StdOut and StdErr redirection to work correctly. To change this setting in Visual Studio:

Open the project's properties
Navigate to Configuration Properties -> C/C++ -> Code Generation
Change the value of Runtime Library to either Multi-threaded (/MT) or Multi-threaded Debug (/MTd)
Recompile the project

Argument Limitiations

Executables that do not use the Window's API CommandLineToArgvW in order to parse arguments will not be passed appropriately through RunPE. When running PE's that the operator has control over compilation, it is suggested to add support for parsing arguments using this API.

For example, the following code will work when the program is run independently, but will fail when passed to RunPE since "foo" has been shifted to argv[2]:

if (argv[1] == "foo") {
    bar();
}

Example for refactoring argv to CommandLineArgvW:

#include <stdio.h>
#include <Windows.h>

int main(int argc, char* argv[]) {
	int nArgs;
	LPWSTR *szArglist;
	
	szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);

	for (int i = 0; i < nArgs; i++) {
		printf("argv[%d]: %ws\n", i, szArglist[i]);
	}

	return 0;
}

runpe's People

Contributors

Stargazers

Watchers

Forkers

zero-winter askyeye crackercat zhouzu chronoss3 superuser5 zha0 gavz v4nyl ykankaya pyonghe freeide 5l1v3r1 solomonsklash seahop raystyle msf-ntdll wisdark lunarobliq liukuo362573 zealias ra2003 l34rn djhohnstein redteams analyticsearch bhassani curtishoughton justinforbes th30c0der noostudent egebalci 1f3lse cpt-jack-a-castle miltinhoc sylviagaytaneh2021 thenson81 mmillerxyz jpluimers jonmarshaldev jrandomsage skyn9ne j1mj0ngcrack mmyyhack lucia361 rakhithjk kerrymilan apkc realalexandergeorgiev webstorage119 f11st jonsenyean h1d3r cx01n realmadaha epichoxha haiandaxia startagain2016 cb0y 10cks yyosefi aquawood

runpe's Issues

Arguments do not get passed

When running a base64 encoded file via command line, arguments are not appropriately passed to the execution of the command of some binaries.

I have used net.exe just fine, however Mimikatz and CheekyBlinders both do not get arguments passed appropriately.

RunPE Version: Latest
OS: Windows 10
Build: OS Version: 10.0.19045 N/A Build 19045

Example running Mimikatz (latest):

[....snippet....]

As you can see, the execution of the PE works, however the arguments passed are not passed on to the PE.

I am using our C2 to wrap this functionality and passing the arguments, however they do not get executed.

I have also tried the CheekyBlinders (https://github.com/br-sn/CheekyBlinder) PE file, which results in the same issue of arguments not being passed to the PE binary.

You can see executing directly from the file works in both cases

Mimikatz:

[...snippet...]

Notice the highlighted area, where Mimikatz is being passed the Argument 0 instead of just coffee and exit

CheekyBlinders:

[...snippet...]

Note CheekyBlinders doesn't even execute correctly, however this may because again of the argv[0] being passed instead of argv[1]

"

what interesting things this library can do?

Can someone please explain what interesting things this library can do? Although I couldn't understand anything from the readme.md file which lacking detailed imformation , it seemed very interesting
thanks a lot.

why not to support win32?

Is there any way to bypass the argument limitiations mentioned in README.md?

I'm using RunPE as a library in my project. I load the file bytes myself and added a public function to RunPE to which I can pass the file bytes and arguments. I build RunPE as a class library.

However, when trying to execute a binary, that does not use CommandLineToArgvW, the arguments passed to MY binary will get passed to the binary I want to execute and the first argument passed to StartExecution (which should be the args as a string[]) is ignored.

Is there any way to patch this, so that I can pass arguments programmatically?

Failed to reflectively load RunPE's DLL

I want to modify RunPE to be a C# DLL library to implement reflection calling RunPE, but it fails

execute whoami.exe failed

attempt to execute whoami.exe, but no output:

> .\RunPE.exe C:\Windows\System32\whoami.exe
[*] Running: C:\Windows\System32\whoami.exe with no args
[*] Mapping PE into memory
[*] Mapped PE Base Address: 0x1060000
[*] No more blocks to map
[*] Mapped PE EntryPoint: 0x106D2B0
[+] Finished mapping PE file

[*] Original module: RunPE.exe
[*] Original module: ntdll.dll
[*] Original module: MSCOREE.DLL
[*] Original module: KERNEL32.dll
[*] Original module: KERNELBASE.dll
[*] Original module: ADVAPI32.dll
[*] Original module: msvcrt.dll
[*] Original module: sechost.dll
[*] Original module: RPCRT4.dll
[*] Original module: mscoreei.dll
[*] Original module: SHLWAPI.dll
[*] Original module: kernel.appcore.dll
[*] Original module: VERSION.dll
[*] Original module: clr.dll
[*] Original module: USER32.dll
[*] Original module: win32u.dll
[*] Original module: VCRUNTIME140_CLR0400.dll
[*] Original module: ucrtbase_clr0400.dll
[*] Original module: GDI32.dll
[*] Original module: gdi32full.dll
[*] Original module: msvcp_win.dll
[*] Original module: ucrtbase.dll
[*] Original module: IMM32.DLL
[*] Original module: mscorlib.ni.dll
[*] Original module: ole32.dll
[*] Original module: combase.dll
[*] Original module: bcryptPrimitives.dll
[*] Original module: clrjit.dll
[*] Original module: System.ni.dll
[*] Original module: System.Core.ni.dll
[*] Original module: psapi.dll
[+] Loaded ADVAPI32.dll
[+] Patching ADVAPI32.dll!LookupPrivilegeDisplayNameW, to: 0x7FFF2A606E80
[+] Patching ADVAPI32.dll!LookupPrivilegeNameW, to: 0x7FFF2A6071D0
[+] Patching ADVAPI32.dll!GetSidIdentifierAuthority, to: 0x7FFF2A5DB9E0
[+] Patching ADVAPI32.dll!LookupAccountSidW, to: 0x7FFF2A5D66F0
[+] Patching ADVAPI32.dll!GetLengthSid, to: 0x7FFF2A5D6870
[+] Patching ADVAPI32.dll!OpenProcessToken, to: 0x7FFF2A5D6940
[+] Patching ADVAPI32.dll!IsValidSid, to: 0x7FFF2A5D6C30
[+] Patching ADVAPI32.dll!CopySid, to: 0x7FFF2A5D6AD0
[+] Patching ADVAPI32.dll!GetSidSubAuthority, to: 0x7FFF2A5D6EC0
[+] Patching ADVAPI32.dll!GetSidSubAuthorityCount, to: 0x7FFF2A5D6E50
[+] Patching ADVAPI32.dll!AdjustTokenPrivileges, to: 0x7FFF2A5D77B0
[+] Patching ADVAPI32.dll!LookupPrivilegeValueW, to: 0x7FFF2A5CF980
[+] Patching ADVAPI32.dll!GetTokenInformation, to: 0x7FFF2A5D5F70
[+] Patching ADVAPI32.dll!InitializeSid, to: 0x7FFF2A5DAEB0
[+] Patching ADVAPI32.dll!EqualSid, to: 0x7FFF2A5D7BE0
[*] End of functions for ADVAPI32.dll

[+] Loaded KERNEL32.dll
[+] Patching KERNEL32.dll!CloseHandle, to: 0x7FFF2ACD48E0
[+] Patching KERNEL32.dll!LocalFree, to: 0x7FFF2ACC7B60
[+] Patching KERNEL32.dll!SetLastError, to: 0x7FFF2ACC5CB0
[+] Patching KERNEL32.dll!FileTimeToSystemTime, to: 0x7FFF2ACD5050
[+] Patching KERNEL32.dll!GetTimeFormatW, to: 0x7FFF2ACCF1C0
[+] Patching KERNEL32.dll!GetModuleFileNameW, to: 0x7FFF2ACCDF20
[+] Patching KERNEL32.dll!HeapSize, to: 0x7FFF2B7A56D0
[+] Patching KERNEL32.dll!HeapReAlloc, to: 0x7FFF2B7AC9A0
[+] Patching KERNEL32.dll!HeapAlloc, to: 0x7FFF2B7A6C80
[+] Patching KERNEL32.dll!HeapValidate, to: 0x7FFF2ACCC0F0
[+] Patching KERNEL32.dll!HeapFree, to: 0x7FFF2ACC5570
[+] Patching KERNEL32.dll!GetProcessHeap, to: 0x7FFF2ACC5BB0
[+] Patching KERNEL32.dll!GetConsoleOutputCP, to: 0x7FFF2ACD5300
[+] Patching KERNEL32.dll!HeapSetInformation, to: 0x7FFF2ACD03E0
[+] Patching KERNEL32.dll!WriteConsoleW, to: 0x7FFF2ACD53C0
[+] Patching KERNEL32.dll!CompareStringA, to: 0x7FFF2ACCD620
[+] Patching KERNEL32.dll!GetThreadLocale, to: 0x7FFF2ACCA0F0
[+] Patching KERNEL32.dll!CompareStringW, to: 0x7FFF2ACCC6A0
[+] Patching KERNEL32.dll!lstrlenW, to: 0x7FFF2ACC7000
[+] Patching KERNEL32.dll!GetStdHandle, to: 0x7FFF2ACCD490
[+] Patching KERNEL32.dll!GetConsoleMode, to: 0x7FFF2ACD52F0
[+] Patching KERNEL32.dll!GetFileType, to: 0x7FFF2ACD4DB0
[+] Patching KERNEL32.dll!WideCharToMultiByte, to: 0x7FFF2ACC5B30
[+] Patching KERNEL32.dll!FormatMessageW, to: 0x7FFF2ACCC890
[+] Patching KERNEL32.dll!TerminateProcess, to: 0x7FFF2ACD0760
[+] Patching KERNEL32.dll!UnhandledExceptionFilter, to: 0x7FFF2ACEB9D0
[+] Patching KERNEL32.dll!GetTickCount, to: 0x7FFF2ACC5640
[+] Patching KERNEL32.dll!GetSystemTimeAsFileTime, to: 0x7FFF2ACC7B80
[+] Patching KERNEL32.dll!GetCurrentThreadId, to: 0x7FFF2ACC5550
[+] Patching KERNEL32.dll!GetCurrentProcessId, to: 0x7FFF2ACD4890
[+] Patching KERNEL32.dll!QueryPerformanceCounter, to: 0x7FFF2ACC5C10
[+] Patching KERNEL32.dll!GetModuleHandleW, to: 0x7FFF2ACCD130
[+] Patching KERNEL32.dll!SetUnhandledExceptionFilter, to: 0x7FFF2ACCFE00
[+] Patching KERNEL32.dll!SleepConditionVariableSRW, to: 0x7FFF2943AB40
[+] Patching KERNEL32.dll!WakeAllConditionVariable, to: 0x7FFF2B7DD3D0
[+] Patching KERNEL32.dll!AcquireSRWLockExclusive, to: 0x7FFF2B7ADC30
[+] Patching KERNEL32.dll!ReleaseSRWLockExclusive, to: 0x7FFF2B7B0B10
[+] Patching KERNEL32.dll!Sleep, to: 0x7FFF2ACCADA0
[+] Patching KERNEL32.dll!GetCurrentProcess, to: 0x7FFF2ACD4880
[+] Patching KERNEL32.dll!SetThreadUILanguage, to: 0x7FFF2ACCC610
[+] Patching KERNEL32.dll!GetLastError, to: 0x7FFF2ACC5BF0
[+] Patching KERNEL32.dll!ExitProcess, to: 0x7FFF2ACCE0A0
[*] End of functions for KERNEL32.dll

[+] Loaded msvcrt.dll
[+] Patching msvcrt.dll!fprintf, to: 0x7FFF2AC574B0
[+] Patching msvcrt.dll!fflush, to: 0x7FFF2AC572B0
[+] Patching msvcrt.dll!wcstok, to: 0x7FFF2AC6E4F0
[+] Patching msvcrt.dll!_get_osfhandle, to: 0x7FFF2AC2C990
[+] Patching msvcrt.dll!_fileno, to: 0x7FFF2AC57000
[+] Patching msvcrt.dll!wcstoul, to: 0x7FFF2AC15570
[+] Patching msvcrt.dll!wcstol, to: 0x7FFF2AC154F0
[+] Patching msvcrt.dll!wcstod, to: 0x7FFF2AC14EB0
[+] Patching msvcrt.dll!_errno, to: 0x7FFF2AC17D60
[+] Patching msvcrt.dll!_memicmp, to: 0x7FFF2AC6A500
[+] Patching msvcrt.dll!?terminate@@YAXXZ, to: 0x7FFF2AC1AE00
[+] Patching msvcrt.dll!??1type_info@@UEAA@XZ, to: 0x7FFF2AC24040
[+] Patching msvcrt.dll!_onexit, to: 0x7FFF2AC3A990
[+] Patching msvcrt.dll!__dllonexit, to: 0x7FFF2AC3A8B0
[+] Patching msvcrt.dll!_unlock, to: 0x7FFF2AC4B280
[+] Patching msvcrt.dll!_lock, to: 0x7FFF2AC4B040
[+] Patching msvcrt.dll!_commode, to: 0x7FFF2ACA56D8
[+] Patching msvcrt.dll!_fmode, to: 0x7FFF2ACA467C
[+] Patching msvcrt.dll!__C_specific_handler, to: 0x7FFF2AC37F60
[+] Patching msvcrt.dll!_initterm, to: 0x7FFF2AC4A510
[+] Patching msvcrt.dll!__setusermatherr, to: 0x7FFF2AC78160
[+] Patching msvcrt.dll!_cexit, to: 0x7FFF2AC4A210
[+] Patching msvcrt.dll!_exit, to: 0x7FFF2AC4A0D0
[+] Patching msvcrt.dll!exit, to: 0x7FFF2AC4A7D0
[+] Patching msvcrt.dll!__set_app_type, to: 0x7FFF2AC3B130
[+] Patching msvcrt.dll!__wgetmainargs, to: 0x7FFF2AC17A50
[+] Patching msvcrt.dll!_amsg_exit, to: 0x7FFF2AC4A190
[+] Patching msvcrt.dll!_XcptFilter, to: 0x7FFF2AC37D70
[+] Patching msvcrt.dll!_CxxThrowException, to: 0x7FFF2AC1AE80
[+] Patching msvcrt.dll!_callnewh, to: 0x7FFF2AC29280
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z, to: 0x7FFF2AC1A6C0
[+] Patching msvcrt.dll!malloc, to: 0x7FFF2AC29CD0
[+] Patching msvcrt.dll!free, to: 0x7FFF2AC29C80
[+] Patching msvcrt.dll!memmove_s, to: 0x7FFF2AC6CF70
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBV0@@Z, to: 0x7FFF2AC1A6E0
[+] Patching msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z, to: 0x7FFF2AC1A640
[+] Patching msvcrt.dll!??0exception@@QEAA@XZ, to: 0x7FFF2AC1A770
[+] Patching msvcrt.dll!??1exception@@UEAA@XZ, to: 0x7FFF2AC1A7D0
[+] Patching msvcrt.dll!?what@exception@@UEBAPEBDXZ, to: 0x7FFF2AC1AA90
[+] Patching msvcrt.dll!memcpy_s, to: 0x7FFF2AC6CED0
[+] Patching msvcrt.dll!_ultow, to: 0x7FFF2AC12E10
[+] Patching msvcrt.dll!_vsnwprintf, to: 0x7FFF2AC5AD20
[+] Patching msvcrt.dll!__CxxFrameHandler3, to: 0x7FFF2AC1B560
[+] Patching msvcrt.dll!__iob_func, to: 0x7FFF2AC4CF40
[+] Patching msvcrt.dll!memset, to: 0x7FFF2AC84680
[*] End of functions for msvcrt.dll

[+] Loaded ntdll.dll
[+] Patching ntdll.dll!RtlVerifyVersionInfo, to: 0x7FFF2B809AE0
[+] Patching ntdll.dll!RtlCaptureContext, to: 0x7FFF2B82FEA0
[+] Patching ntdll.dll!RtlLookupFunctionEntry, to: 0x7FFF2B7B3E50
[+] Patching ntdll.dll!VerSetConditionMask, to: 0x7FFF2B7FF670
[+] Patching ntdll.dll!RtlVirtualUnwind, to: 0x7FFF2B7B20B0
[*] End of functions for ntdll.dll

[+] Loaded USER32.dll
[+] Patching USER32.dll!LoadStringW, to: 0x7FFF2AE77FD0
[+] Patching USER32.dll!CharLowerW, to: 0x7FFF2AE81D60
[+] Patching USER32.dll!CharUpperW, to: 0x7FFF2AE76B50
[*] End of functions for USER32.dll

[+] Loaded WS2_32.dll
[*] End of functions for WS2_32.dll

[+] Loaded SHLWAPI.dll
[+] Patching SHLWAPI.dll!StrStrW, to: 0x7FFF2B52F8E0
[+] Patching SHLWAPI.dll!StrStrIW, to: 0x7FFF2B526A50
[+] Patching SHLWAPI.dll!StrChrW, to: 0x7FFF2B5262A0
[+] Patching SHLWAPI.dll!StrChrIW, to: 0x7FFF2B527FB0
[*] End of functions for SHLWAPI.dll

[+] Loaded VERSION.dll
[+] Patching VERSION.dll!VerQueryValueW, to: 0x7FFF207F1050
[+] Patching VERSION.dll!GetFileVersionInfoExW, to: 0x7FFF207F1070
[+] Patching VERSION.dll!GetFileVersionInfoSizeExW, to: 0x7FFF207F1090
[*] End of functions for VERSION.dll

[+] Loaded AUTHZ.dll
[+] Patching AUTHZ.dll!FreeClaimDefinitions, to: 0x7FFF27CE1130
[+] Patching AUTHZ.dll!InitializeClaimDictionary, to: 0x7FFF27CE13B0
[+] Patching AUTHZ.dll!GetClaimDefinitions, to: 0x7FFF27CE1200
[+] Patching AUTHZ.dll!FreeClaimDictionary, to: 0x7FFF27CE11E0
[*] End of functions for AUTHZ.dll

[+] Loaded SspiCli.dll
[+] Patching SspiCli.dll!LsaConnectUntrusted, to: 0x7FFF28D8A6A0
[+] Patching SspiCli.dll!LsaLookupAuthenticationPackage, to: 0x7FFF28D83B80
[+] Patching SspiCli.dll!LsaCallAuthenticationPackage, to: 0x7FFF28D83A20
[+] Patching SspiCli.dll!GetUserNameExW, to: 0x7FFF28D88020
[*] End of functions for SspiCli.dll

[+] Loaded wkscli.dll
[+] Patching wkscli.dll!NetGetJoinInformation, to: 0x7FFF280B16F0
[*] End of functions for wkscli.dll

[+] Loaded netutils.dll
[+] Patching netutils.dll!NetApiBufferFree, to: 0x7FFF283F1060
[*] End of functions for netutils.dll

[*] End of DLLs
[+] Finished resolving imports

[*] PEB Base Address: 0xAC1000
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer Address: 0xAC1020
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer: 0xD021F0
[*] CommandLine String Pointer Pointer: 0x13640296
[*] CommandLine String Pointer: 0x13641904
[*] Image String Pointer Pointer: 0x13640280
[*] Image String Pointer: 0x13641784
[*] Length Pointer: 0x13640288
[*] Length Value: 0xB8 (184)
[*] MaxLength Pointer: 0x13640290
[*] MaxLength Value: 0xBA (186)
[*] Current args read from PEB: "C:\Users\Thin0\source\repos\RunPE\RunPE\bin\Debug\RunPE.exe" C:\Windows\System32\whoami.exe
[*] Current image read from PEB: C:\Users\Thin0\source\repos\RunPE\RunPE\bin\Debug\RunPE.exe
[*] Patching CommandLine string pointer...
[+] Patched pointer at 0xD02268 to 0xDC61A0
[*] Patching Image string pointer...
[+] Patched pointer at 0xD02258 to 0xDC5FC0
[*] Patching Length...
[*] Patching MaximumLength...
[*] PEB Base Address: 0xAC1000
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer Address: 0xAC1020
[*] PEB RTL_USER_PROCESS_PARAMETERS Struct Pointer: 0xD021F0
[*] CommandLine String Pointer Pointer: 0x13640296
[*] CommandLine String Pointer: 0x14442912
[*] Image String Pointer Pointer: 0x13640280
[*] Image String Pointer: 0x14442432
[*] Length Pointer: 0x13640288
[*] Length Value: 0x21 (33)
[*] MaxLength Pointer: 0x13640290
[*] MaxLength Value: 0x21 (33)
[*] New args read from PEB: "C:\Windows\System32\whoami.exe"
[*] New image read from PEB: C:\Windows\System32\whoami.exe
[*] New length read from PEB: 33
[*] New maxlength read from PEB: 33
[+] Finished Patching PEB

[+] Patching GetCommandLine API Call...
[*] String bytes: 22 0 43 0 3A 0 5C 0 55 0 73 0 65 0 72 0 73 0 5C 0 54 0 68 0 69 0 6E 0 30 0 5C 0 73 0 6F 0 75 0 72 0 63 0 65 0 5C 0 72 0 65 0 70 0 6F 0 73 0 5C 0 52 0 75 0 6E 0 50 0 45 0 5C 0 52 0 75 0 6E 0 50 0 45 0 5C 0 62 0 69 0 6E 0 5C 0 44 0
[*] String encoding determined to be: System.Text.UTF8Encoding
[*] Old GetCommandLine return value: 0xD028B0
[*] New String Address: 0xDC54D0
[*] Patching kernelbase!GetCommandLineW
[*] PatchBytes: 0x48 0xB8 0xD0 0x54 0xDC 0x0 0x0 0x0 0x0 0x0 0xC3
[*] PatchBytes Len: 11
[*] kernelbase!GetCommandLineW API function at: 0x7FFF29447B40
[*] Original bytes: 0x48 0x8B 0x5 0x91 0x43 0x21 0x0 0xC3 0xCC 0xCC 0xCC
[*] Changed protections on kernelbase!GetCommandLineW to RW
[+] Patched function kernelbase!GetCommandLineW
[*] Reverted memory protections on kernelbase!GetCommandLineW
[*] New GetCommandLine return value: 0xDC54D0
[*] Patched CommandLine string from GetCommandLine API call: "C:\Windows\System32\whoami.exe"
[+] Finished Patching API Calls

[*] kernelbase!ExitThread API function at: 0x7FFF2B7DCEF0
[*] Patching kernelbase!TerminateProcess, redirecting flow to kernelbase!ExitThread
[*] Patching kernelbase!TerminateProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] kernelbase!TerminateProcess API function at: 0x7FFF2944B320
[*] Original bytes: 0x48 0x89 0x5C 0x24 0x8 0x57 0x48 0x83 0xEC 0x20 0x8B 0xFA 0x48 0x8B 0xD9 0x48 0x85 0xC9 0xF
[*] Changed protections on kernelbase!TerminateProcess to RW
[+] Patched function kernelbase!TerminateProcess
[*] Reverted memory protections on kernelbase!TerminateProcess
[*] Patching mscoree!CorExitProcess, redirecting flow to kernelbase!ExitThread
[*] Patching mscoree!CorExitProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] mscoree!CorExitProcess API function at: 0x7FFF01DD7450
[*] Original bytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x48 0x83 0x64 0x24 0x38 0x0 0x8B 0xD9 0x48 0x8D 0x4C 0x24 0x38
[*] Changed protections on mscoree!CorExitProcess to RW
[+] Patched function mscoree!CorExitProcess
[*] Reverted memory protections on mscoree!CorExitProcess
[*] Patching ntdll!NtTerminateProcess, redirecting flow to kernelbase!ExitThread
[*] Patching ntdll!NtTerminateProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] ntdll!NtTerminateProcess API function at: 0x7FFF2B82C310
[*] Original bytes: 0x4C 0x8B 0xD1 0xB8 0x2C 0x0 0x0 0x0 0xF6 0x4 0x25 0x8 0x3 0xFE 0x7F 0x1 0x75 0x3 0xF
[*] Changed protections on ntdll!NtTerminateProcess to RW
[+] Patched function ntdll!NtTerminateProcess
[*] Reverted memory protections on ntdll!NtTerminateProcess
[*] Patching ntdll!RtlExitUserProcess, redirecting flow to kernelbase!ExitThread
[*] Patching ntdll!RtlExitUserProcess
[*] PatchBytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] PatchBytes Len: 19
[*] ntdll!RtlExitUserProcess API function at: 0x7FFF2B7F3BD0
[*] Original bytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x8B 0xD9 0xE8 0x33 0xD4 0x1 0x0 0x65 0x48 0x8B 0x4 0x25 0x30
[*] Changed protections on ntdll!RtlExitUserProcess to RW
[+] Patched function ntdll!RtlExitUserProcess
[*] Reverted memory protections on ntdll!RtlExitUserProcess
[+] Exit functions patched

[*] Creating STDOut Pipes to redirect to
[+] Created File Descriptor pipes:
        [*] Read: 0x2F0
        [*] Write: 0x2F4
[*] Creating STDIn Pipes to redirect to
[+] Created File Descriptor pipes:
        [*] Read: 0x2F8
        [*] Write: 0x2FC
[+] SetStdHandle STDOUT to 0x2F4
[+] SetStdHandle STDERROR to 0x2F4
[+] SetStdHandle STDIN to 0x2FC

[*] Performing extra environmental patches
[*] Patching the main module base address in the PEB to 0x1060000
[*] Address of main module base address in PEB: 0xAC1010
[*] Main module base address read from PEB: 0x8C0000
[-] Unable to change memory protections to RW for modification on address: 0xAC1010
[-] Unable to patch main module base address in PEB at: 0xAC1010

[*] Patching kernelbase!GetModuleHandleW to return base address of loaded PE if called with NULL
[*] New func at: 0x1080000
[*] Patching kernelbase!GetModuleHandleW
[*] PatchBytes: 0x48 0xB8 0x0 0x0 0x8 0x1 0x0 0x0 0x0 0x0 0xFF 0xE0
[*] PatchBytes Len: 12
[*] kernelbase!GetModuleHandleW API function at: 0x7FFF294008C0
[*] Original bytes: 0x48 0x89 0x5C 0x24 0x10 0x57 0x48 0x83 0xEC 0x30 0x33 0xDB
[*] Changed protections on kernelbase!GetModuleHandleW to RW
[+] Patched function kernelbase!GetModuleHandleW
[*] Reverted memory protections on kernelbase!GetModuleHandleW

[*] Executing loaded PE

 [*] Reverting patch to kernelbase!TerminateProcess
[*] Patching kernelbase!TerminateProcess
[*] PatchBytes: 0x48 0x89 0x5C 0x24 0x8 0x57 0x48 0x83 0xEC 0x20 0x8B 0xFA 0x48 0x8B 0xD9 0x48 0x85 0xC9 0xF
[*] PatchBytes Len: 19
[*] kernelbase!TerminateProcess API function at: 0x7FFF2944B320
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on kernelbase!TerminateProcess to RW
[+] Patched function kernelbase!TerminateProcess
[*] Reverted memory protections on kernelbase!TerminateProcess
[*] Reverting patch to mscoree!CorExitProcess
[*] Patching mscoree!CorExitProcess
[*] PatchBytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x48 0x83 0x64 0x24 0x38 0x0 0x8B 0xD9 0x48 0x8D 0x4C 0x24 0x38
[*] PatchBytes Len: 19
[*] mscoree!CorExitProcess API function at: 0x7FFF01DD7450
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on mscoree!CorExitProcess to RW
[+] Patched function mscoree!CorExitProcess
[*] Reverted memory protections on mscoree!CorExitProcess
[*] Reverting patch to ntdll!NtTerminateProcess
[*] Patching ntdll!NtTerminateProcess
[*] PatchBytes: 0x4C 0x8B 0xD1 0xB8 0x2C 0x0 0x0 0x0 0xF6 0x4 0x25 0x8 0x3 0xFE 0x7F 0x1 0x75 0x3 0xF
[*] PatchBytes Len: 19
[*] ntdll!NtTerminateProcess API function at: 0x7FFF2B82C310
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on ntdll!NtTerminateProcess to RW
[+] Patched function ntdll!NtTerminateProcess
[*] Reverted memory protections on ntdll!NtTerminateProcess
[*] Reverting patch to ntdll!RtlExitUserProcess
[*] Patching ntdll!RtlExitUserProcess
[*] PatchBytes: 0x40 0x53 0x48 0x83 0xEC 0x20 0x8B 0xD9 0xE8 0x33 0xD4 0x1 0x0 0x65 0x48 0x8B 0x4 0x25 0x30
[*] PatchBytes Len: 19
[*] ntdll!RtlExitUserProcess API function at: 0x7FFF2B7F3BD0
[*] Original bytes: 0x48 0xC7 0xC1 0x0 0x0 0x0 0x0 0x48 0xB8 0xF0 0xCE 0x7D 0x2B 0xFF 0x7F 0x0 0x0 0x50 0xC3
[*] Changed protections on ntdll!RtlExitUserProcess to RW
[+] Patched function ntdll!RtlExitUserProcess
[*] Reverted memory protections on ntdll!RtlExitUserProcess
[+] Exit patches reverted

[*] Reverting patch to kernelbase!GetModuleHandleW
[*] Patching kernelbase!GetModuleHandleW
[*] PatchBytes: 0x48 0x89 0x5C 0x24 0x10 0x57 0x48 0x83 0xEC 0x30 0x33 0xDB
[*] PatchBytes Len: 12
[*] kernelbase!GetModuleHandleW API function at: 0x7FFF294008C0
[*] Original bytes: 0x48 0xB8 0x0 0x0 0x8 0x1 0x0 0x0 0x0 0x0 0xFF 0xE0
[*] Changed protections on kernelbase!GetModuleHandleW to RW
[+] Patched function kernelbase!GetModuleHandleW
[*] Reverted memory protections on kernelbase!GetModuleHandleW
[+] Extra API patches reverted

[*] Reverting patch to main module base address in PEB at: 0x11276304
[-] Unable to change memory protections to RW for modification on address: 0xAC1010
[-] Unable to revert patch to main module base address in PEB at: 0x11276304
[*] Reset StdError, StdOut, StdIn
[+] SetStdHandle STDOUT to 0x54
[+] SetStdHandle STDERROR to 0x58
[+] SetStdHandle STDIN to 0x4C
[*] Closing StdOut pipes
[+] CloseHandle write
[+] CloseHandle read
[-] Unable to read from 'subprocess' pipe
[*] Closing StdIn pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Closing StdOut pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Closing StdIn pipes
[+] CloseHandle write
[+] CloseHandle read
[*] Reverting patch to kernelbase!GetCommandLineW
[*] Patching kernelbase!GetCommandLineW
[*] PatchBytes: 0x48 0x8B 0x5 0x91 0x43 0x21 0x0 0xC3 0xCC 0xCC 0xCC
[*] PatchBytes Len: 11
[*] kernelbase!GetCommandLineW API function at: 0x7FFF29447B40
[*] Original bytes: 0x48 0xB8 0xD0 0x54 0xDC 0x0 0x0 0x0 0x0 0x0 0xC3
[*] Changed protections on kernelbase!GetCommandLineW to RW
[+] Patched function kernelbase!GetCommandLineW
[*] Reverted memory protections on kernelbase!GetCommandLineW
[*] Reverting patch to command line string pointer
[+] Patched pointer at 0xD02268 to 0xD028B0
[*] Reverting patch to image string pointer
[+] Patched pointer at 0xD02258 to 0xD02838
[*] Reverting patch to command line string length
[*] Patching command line string max length
[+] Args reverted

[*] Zeroing out and freeing loaded PE image at 0x1060000 with size: 0x16000
[*] PE artifacts cleared from memory

[*] Cleaning up loaded DLLs
[*] Freeing WS2_32.dll at 0x7FFF2B580000
[*] Freeing AUTHZ.dll at 0x7FFF27CC0000
[*] Freeing SspiCli.dll at 0x7FFF28D80000
[*] Freeing wkscli.dll at 0x7FFF280B0000
[*] Freeing netutils.dll at 0x7FFF283F0000
[*] Freeing clbcatq.dll at 0x7FFF2A280000
[+] Loaded DLLs cleaned up

[*] Retrieving the 'subprocess' stdout & stderr

------------------------ EXE OUTPUT -------------------------



--------------------- END OF EXE OUTPUT ---------------------

[+] End of RunPE

RunPe

how to use it in my project?

hello
im new to C# so sorry if this question is dumb
i wanna know how to use it inside my project
what should i do?

Not capturing STDOUT/STDERR

When running certain PE files, the STDOUT/STDERR is not be captured approximately.

RunPE Version: Latest
OS: Windows 10
Build: OS Version: 10.0.19045 N/A Build 19045

Example running Mimikatz (latest):

[...snippet...]

As you can see, the execution of the PE works, however no output is pushed to the redirection pipe handlers.

I am using our C2 to wrap this functionality and when I try to get the output, there is nothing that is returned (https://github.com/nettitude/RunPE/blob/main/RunPE/Program.cs#L107)

I have also tried the CheekyBlinders (https://github.com/br-sn/CheekyBlinder) PE file, which results in the same issue of no output being collected.

Unable to read from 'subprocess' pipe when using base64 blob

Hey guys. Appreciate the work you have done with this and RunOF and we are trying to get RunPE integrated into Empire next.
I ran into a strange issue both locally and through the C2 where it reports back that [-] Unable to read from 'subprocess' pipe. This error happens when I run Mimikatz locally with the file directly, which also seems strange. I tested a few examples: CheekyBlinders.exe (with the updates from #11), Mimikatz, and ATPMiniDump.exe.

This is what it looks like if I pass in our Task function, which is using Covenant's Roslyn compiler with a modified version of your project (needed public functions).

    using System;
    using System.IO;
    using System.Linq;
    using System.Reflection;
    using RunPE;
    
    public static class Task
    {
        public static Stream OutputStream { get; set; }
        public static string Execute(string Command = "")
        {
            TextWriter realStdOut = Console.Out;
            TextWriter realStdErr = Console.Error;
            StreamWriter stdOutWriter = new StreamWriter(OutputStream);
            StreamWriter stdErrWriter = new StreamWriter(OutputStream);
            stdOutWriter.AutoFlush = true;
            stdErrWriter.AutoFlush = true;
            Console.SetOut(stdOutWriter);
            Console.SetError(stdErrWriter);
            var assembly = Assembly.GetExecutingAssembly();
            var resourceName = "executable.txt";
            string[] names = assembly.GetManifestResourceNames();
            StreamReader reader = new StreamReader(assembly.GetManifestResourceStream(resourceName));
            string executable = reader.ReadToEnd();
            
            string string_args = "---b " + executable + " " + Command;
            string[] args = string_args.Split(' ');
            RunPE.Program.Main(args);
            
            Console.Out.Flush();
            Console.Error.Flush();
            Console.SetOut(realStdOut);
            Console.SetError(realStdErr);
  
            OutputStream.Close();
            return "";
        }
    }

When I run directly through the application, I can get RunPE to work with ATPMiniDump and CheekyBlinder.

And it runs with Mimikatz, but it gives that subprocess pipe error.

I'm sure it's something stupid on my part, so I would greatly appreciate any suggestions.

Failed to run with "file-to-pretend-to-be"

I have some issues with the file-to-pretend-to-be option, I'm trying to run net.exe with svchost.exe and it gives the above error:

RunPE.exe ---f C:\Windows\System32\svchost.exe ---b QzpcV2luZG93c1xTeXN0ZW0zMlxuZXQuZXhl ---a bG9jYWxncm91cCBhZG1pbmlzdHJhdG9ycw==
[*] Running base64 encoded binary as file C:\Windows\System32\svchost.exe with args: 'localgroup administrators'
[*] Mapping PE into memory
[*] Mapped PE Base Address: 0x0
[-] Error running RunPE: System.ArgumentNullException: Value cannot be null.
Parameter name: destination
   at System.Runtime.InteropServices.Marshal.CopyToNative(Object source, Int32 startIndex, IntPtr destination, Int32 length)
   at RunPE.Patchers.PEMapper.MapPEIntoMemory(Byte[] unpacked, PELoader& peLoader, Int64& currentBase) in C:\Users\user\Desktop\RunPE-main\RunPE\Patchers\PEMapper.cs:line 31
   at RunPE.Program.Main(String[] args) in C:\Users\user\Desktop\RunPE-main\RunPE\Program.cs:line 53

Not able to capture stdout

When using RunPE in a process which has no attached console (conhost.exe), We can't use SetStdHandle function to redirect the stdout, is there any way to handle this problem without creating or attaching to a console ?

Not working on Windows7

[*] Patching kernelbase!GetModuleHandleW to return base address of loaded PE if
called with NULL
[*] Calculating patch length for kernelbase!GetModuleHandleW
[-] Error running RunPE: System.Exception: Unable to calculate patch length, the
 function may have changed to a point it is is no longer recognised and this cod
e needs to be updated
   at RunPE.Patchers.ExtraAPIPatcher.CalculatePatchLength(IntPtr funcAddress)
   at RunPE.Patchers.ExtraAPIPatcher.PatchAPIs(IntPtr baseAddress)
   at RunPE.Program.Main(String[] args)

Questions

I have questions about RunPe and how to do it in c#. looks like you know quite a lot so if you could email me that would be great
[email protected]

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.